Re: Proposal to include obligatory PGP verification of packages from any repository

[Jean Louis]

* Stefan Monnier <monnier@iro.umontreal.ca> [2020-10-20 00:53]:
> >> > Is there a policy that GNU ELPA packages should be signed?
> >> Not sure what that would mean: *we* sign it, so there's no policy to
> >> enforce.  At most there are bugs to fix if the sigs are missing
> >> or incorrect.
> > It would be good to implement the policy.
> 
> I don't know what that means (neither "the policy" nor "implement").

Rules of maintenance simply said:

- that every request to any ELPA goes over SSL connection, to totally
  disable non-SSL connections to archives. Many countries spy on their
  citizens, and in many of those countries citizens are using
  encryption features, even it could be illegal to use encryption. By
  using non-SSL connection or allowing such, possibility is there that
  user get in danger of life. This is one very real example, it will
  look unreal to many who are in normal countries. I have a friend in
  such country.

- that all packages are signed by default and that Emacs expects such
  by default

There is set of principles for Emacs Lisp packaging in the info
manual, those changes are only beneficial for future.

Read on this link that Vasilij have presented to me yesterday:
https://medium.com/hackernoon/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

That does happen. Research the report on this site:
https://snyk.io/blog/javascript-frameworks-security-report-2019/

Compare insecurities on similar software package repositories with
other languages to Emacs, and implement policies to prevent
insecurities in future.

To implement means in this context to follow through, follow up,
follow out, carry out, implement, put through, go through -- pursue
to a conclusion or bring to a successful issue; (Wordnet) there may be
definitions in othe context. I speak of carrying out.

Policy means a plan of action adopted by an individual or social
group; "it was a policy of retribution"; "a politician keeps changing
his policies" (Wordnet) -- there may be other definitons in other
context, I speak of adopting plan of action for Emacs development.

> >> > What I expect is a method for user to easily verify and know by which
> >> > key was which package signed, such function should exist.
> >> What does Debian do in this respect?
> > There are ways to verify package authenticity,
> 
> How?  What does "package authenticity" mean?
> Do you get to see which key signed which package?

I skip this, I am sure you know it.

> > Vasilij pointed out how it should be done.  Verifications in Debian or
> > Archlinux how I see it, happen in real time during installation and
> > that is by default.
> 
> Right, just as we do with GNU ELPA, AFAICT.

It is not by default surprisingly to me. I had to turn on the option
to have packages verified for signatures.

> > So instead of using external gpg program, maybe you as developers
> > could use gnutls library and that API to create signatures for
> > packages in case that PGP/GnuPG cannot work.
> 
> The problem is not to create signatures (which we do on our own machines
> where we can easily make sure PGP is installed) but to verify them.

Maybe gnutls offers that API, I cannot know technically, I could see
the API is there. 

> >> - the signature system was introduced relatively shortly before it was
> >>   deployed for Emacs-24.4, so we did not want to break it for the other
> >>   ELPA archives.
> > I understand and I find it unfortunate, and still suggest that it
> > becomes enabled now, and not years there after.
> 
> The current default made sense then.  Maybe it should be changed
> now, indeed.

Thank you,

Think about the growing number of:

- users
- developers
- packages
- fascism and varieties of oppression in the world

Jean